zydronium/neocities
1
0
Fork 0
mirror of https://github.com/neocities/neocities.git synced 2025-04-24 17:22:35 +02:00
Code Issues Projects Releases Packages Wiki Activity

no csrf_token for create

Browse source
This commit is contained in:
Kyle Drake 2025-04-15 15:34:47 -05:00
parent 2f0f5c2c01
commit f4fcf94b1a
2 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app.rb
View file

@ -69,6 +69,8 @@ def redirect_to_internet_archive_for_geocities_sites
end end
end end
WHITELISTED_POST_PATHS = ['/create_validate_all', '/create_validate', '/create'].freeze
before do before do
if request.path.match /^\/api\//i if request.path.match /^\/api\//i
@api = true @api = true
@ -83,7 +85,7 @@ before do
redirect '/tutorial/html/1' redirect '/tutorial/html/1'
else else
content_type :html, 'charset' => 'utf-8' content_type :html, 'charset' => 'utf-8'
redirect '/' if request.post? && !csrf_safe? redirect '/' if request.post? && !WHITELISTED_POST_PATHS.include?(request.path_info) && !csrf_safe?
end end
if params[:page] if params[:page]

1
views/index.erb
View file

@ -91,7 +91,6 @@
</div> </div>
<% else %> <% else %>
<form id="createSiteForm" class="signup-Form" onsubmit="return false"> <form id="createSiteForm" class="signup-Form" onsubmit="return false">
<input type="hidden" name="csrf_token" value="<%= csrf_token %>">
<input type="hidden" name="is_education" value="false"> <input type="hidden" name="is_education" value="false">
<fieldset class="content"> <fieldset class="content">
<h2 class="gamma">Sign up for free</h2> <h2 class="gamma">Sign up for free</h2>